override attribute value for given SP?

Boyd, Todd M. tmboyd1 at ccis.edu
Tue Aug 25 20:01:39 UTC 2020 

While this is of course not an ideal situation, it is navigable. In the context of an LDAP attribute resolver, you could just define a new attribute that uses A's format but B's source property. If A is uid and B is mail or some such, it would look something like this (note - untested and mostly off the top of my head with a bit of copy/paste):

	<AttributeDefinition xsi:type="Simple" id="uid">
		<InputDataConnector ref="myLDAP" attributeNames="sAMAccountName" />
		<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
		<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
	</AttributeDefinition>
	<AttributeDefinition xsi:type="Simple" id="uidHack">
		<InputDataConnector ref="myLDAP" attributeNames="mail" />
		<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
		<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
	</AttributeDefinition>

Since attribute-filter.xml relies on attribute IDs and not attribute names, you would release uidHack to the SP rather than uid and it should be none the wiser. It will receive an attribute with the uid name but the value that would normally be released by the mail attribute.


-Todd

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Ryan Suarez
Sent: Tuesday, August 25, 2020 1:22 PM
To: users at shibboleth.net
Subject: override attribute value for given SP?

CAUTION!: This email originated from outside of Columbia College.


Greetings,

We are running shib IdP v3.x and have following attributes:

<Attribute name="urn:oid:x.1" id="A"/>
<Attribute name="urn:oid:x.2" id="B"/>

For whatever reason the SP wants B but can only consume A.  They are asking us release A (which we are already making use of), but they are requesting that it's value should contain B.  Is it possible to override attributes per SP?

regards,
Ryan


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list